Home Web Hosting Web Design E-Mail Accounts ISP Accounts Satellite E-Cards Alerts Chat News World Time
|October 13, 2006 - MUSKEGON,
DejaNET Communications today received an email with the subject "Order
ID : 37679041". The email looks VERY similar to an email confirmation
about a recent laptop purchase from a major retailer. The email goes
on to state that an Order Summary is attached to the email and is an abode.PDF
file. Unsuspecting recipients of this email masy be concerned that
they are a victim of identity theft and will open the attachment to find
out more info.
The problem is that the attachment is in .zip format and once unzipped, it is actually an .EXE file and NOT really a .PDF file as stated in the fake email. Opening the .EXE file is what actually executes and sets off this virus/trojan. Once executed, the computer is compromised in many ways.
This email contains a virus/trojan and anyone receiving this email or any variant should not open the attachment, nor should it be forwarded to others. Simply delete it immediately.
The email and virus/trojan combination was first found on the Internet on October 10, 2006.
An exact copy of the email received by DejaNET Communications is shown in full below (minus full header info and the attachment itself):
START OF EMAIL
Thank you for ordering from our internet shop. If you paid with a credit card, the charge on your statement will be from name of our shop.
This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.
Date : 08 Oct 2006 - 12:40
Payment by Credit card
Product : Quantity : Price
Subtotal : 2,449.99
Your Order Summary located in the attachment file ( self-extracting archive with "37679041.pdf" file ).
PDF (Portable Document Format)
files are created by Adobe Acrobat software and can be viewed with Adobe
We will ship your order from the warehouse nearest to you that has your items in stock (NY, TN, UT & CA). We strive to ship all orders the same day, but please allow 24hrs for processing.
You will receive another email with tracking information soon.
We hope you enjoy your order!
Thank you for shopping with us!
This email is a hoax and contains a virus/trojan in the attached file.
Delete it immediately and do not pass it on to others. As long as you DO NOT open and EXECUTE the attachment, nothing has happened to your system nor has anything been ordered and billed to you. If you DID hapen to open the attachment WITHOUT ALREADY HAVING an antivirus program (with updated definitions since October 10, 2006) in place that did not immediately halt/delete the virus, you should immediately change all of your passwords that have been saved on your computer as well as any not saved on your computer that you may heve used since October 10, 2006 and install an antivirus program with updated definitions in order to remove the virus completely from your system. Symantec, Panda, McAfee, Trend, and others also provide free online virus scanning. Read on below to see what files were dropped and/or modified by this virus/trojan. Google one of those antivirus terms to find a free online scanner if also needed.
INDICATIONS OF AN INFECTION - FROM SYMANTEC (Norton Antivirus):
Once executed, Backdoor.Haxdoor.R
performs the following actions:
Note: %System% is a variable
that refers to the System folder. By default this is C:\Windows\System
(Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32
"Start" = "[NUMBER]"
from the registry subkey:
to disable the Windows Security Center.
"EnforceWriteProtection" = "0"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
to disable Microsoft DEP write protection.
Control the device driver of the rootkit
Steal passwords stored in Protected Storage
Steal cached passwords by calling WNetEnumCachedPasswords API
Steal the Miranda IM password
Gather dialup connection information
Check if WebMoney application is installed on the compromised computer
Steal ICQ passwords
Haxdoor.NJ carries out the
If the user accesses any of them, Haxdoor.NJ uses the rootkit detected as Rootkit/Haxdoor.NJ in order to log any information entered by the user. This way, Haxdoor.NJ obtains confidential information about the user, such as passwords.
"DllName" = "ydsvgd.dll"
"ydsvgd.sys" is the rootkit component of this trojan and is responsible for hiding the presence of the trojan on an infected system. It hooks into the System Service Descriptor Table (SSDT) and alters the addresses corresponding to the NTXXX functions implemented in Ntoskrnl.exe
AutoComplete passwords in Internet Explorer
Password-protected sites in Internet Explorer
IM and Dialup connection passwords
You can read more about this virus/trojan by visiting the following links below:
A search on Google for the term "37679041" currently returns over 47 pages with info relating to this scam : Search Now
A search on Google for the term "WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99" currently returns over 12 pages with info relating to this scam : Search Now
If you have a router and/or email program will allow you to filter/block by domain name, then setup a new filter to block the domain name: "grci.info" (without the quotes).
If your email program will allow you to filter/block by subject, then setup a filter to block "Order ID : 37679041" (without the quotes).
If your email program or server itself (Cpanel will do this - go to email filters) will allow you to block by email body content, then setup a filter to block all emails containing within the body "WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99" (without the quotes).